docs(cors): add CORS configuration planning and tasks

Add comprehensive CORS planning documentation and task breakdown for Phase 0.5 (8 tasks: T009-T016). - Create research-cors.md with security analysis and decisions - Add FR-022a to spec.md for production CORS requirements - Update tasks.md: 94 → 102 tasks across 9 phases - Document CORS in README and plan.md Configuration approach: hybrid (configurable origins/credentials, hardcoded methods/headers) with restrictive fail-safe defaults.
2026-01-01 23:29:31 +01:00
parent 8e4433ceaa
commit 2365bbc9b3
5 changed files with 678 additions and 78 deletions
--- a/specs/001-modbus-relay-control/spec.md
+++ b/specs/001-modbus-relay-control/spec.md
@@ -169,7 +169,13 @@ As a user, I want to assign custom labels to each relay (e.g., "Garage Light", "
 - **FR-019**: System MUST return HTTP 504 for Modbus timeout errors
 - **FR-020**: System MUST include OpenAPI 3.0 specification accessible at `/api/specs`
 - **FR-021**: System MUST apply rate limiting middleware (100 requests/minute per IP)
- **FR-022**: System MUST apply CORS middleware allowing all origins (local network deployment)
+- **FR-022**: System MUST apply CORS middleware in development allowing all origins (`*`) for local development (port 5173)
+- **FR-022a**: System MUST apply configurable CORS middleware in production with:
+  - Specific allowed origin from configuration (default: `https://REDACTED`)
+  - Credential support for Authelia authentication (`allow_credentials: true`)
+  - Configurable preflight cache duration (default: 1 hour)
+  - Hardcoded HTTP methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
+  - Hardcoded allowed headers: content-type, authorization
 - **FR-023**: System MUST start successfully even if Modbus device is unreachable at startup, marking device as unhealthy
 - **FR-024**: System MUST persist relay labels to configuration file (YAML) for persistence across restarts